ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to configure APS Forgot Password (FPS) Interface

book

Article ID: 46649

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

TITLE:

How to configure APS (Advanced Password Services) Forgot Password (FPS) Interface

DESCRIPTION:

Following steps will guide you through configuring APS Forgot Password Interface starting with SiteMinder release r12.5 and higher.

PREREQUISITES:

  • APS is enabled on the Policy Server.
  • APS schema is created for all the user entries.
  • APSExpire is run to initialize base APS base data for all the users
  • SmPortal.cfg is already configured (If not, steps are provided below on how to do this )

INSTRUCTIONS:

             

              1. User Directory Configuration

                   Store question number and the answer to be used during Forgot Password verify stage in any user attribute

                   exactly as shown below:

                    

                  

                        In the screen above, the user attribute 'businessCategory' is being used for storing the Question ID and the

                        corresponding answer for that question.

              2. Policy Server Configuration (Changes to APS.cfg)

                   a. (Optional) configure FPS Audit logging under [FPS] section

                        Audit Log=C:/Program Files (x86)/CA/siteminder/log/FPS.log

                    b.  Configure the directory where FPS searches the users under [FPS] section

                        Directory=cadir-01:3000

                    c. Modify Look Up attributes to match attribute name in your user directory under [FPS-Identify] section.

                        (Note , the name of the display attributes are matched from Identify.asp/Identify.jsp page)

                        Lookup=UserID=uid;Mail=mail;FirstName=~givenname;LastName=~sn;Phone=telephoneNumber,homePhone                        ;City=~l;State=st

                    d. Specify the user attribute to look up for the answer

                         Lookup=SecretAnswer=businessCategory

                    e. Specify the user attribute to look up for the question/answer that is to be used for FPS verify state.

                         This configuration is available in [FPS-Verify] section.

                         Initial=*SecretQuestion=businessCategory[format=A,Pick=2,sorted]

                    f. Specify the user attribute that needs to be displayed after the password change is successful in [FPS-Confirm]                          section

                         Initial=uid

                    (Note :

                     *) Only the most essential fields have been configured here for illustration purpose, for the detailed list of 

                       attributes available for FPS refer to APS documentation.

                   *) If Active Directory is user store, then you will also need to configure attribute mapping under [Mappings]                        section.

                  e.g.

                    inetOrgPerson=user
                    userPassword=unicodePwd
                    smapsPassword =
                    groupOfUniqueNames=group
                    uniqueMember=member

                  )

               3. Web Server Configuration (For illustration purpose, we will use IIS 7.5 web server)

Define a virtual CGI directory for the directory that contains the FPS CGI Program

      • Open IIS Manager ( type "inetmgr.exe" in the Run window and click enter)
      • Right Click on the Default Web Site and select Add Virtual Directory option. The virtual directory wizard opens.

                                  Specify as following :

                                  Alias : FPS

                                  Physical path : <Web_Agent_Installation_Directory>\win32\bin\Web\FPS

                             

      • Click Ok

 

Add ISAPI and CGI Restrictions for FPS CGI    

      • Open IIS Manager and navigate to the server level.
      • Double Click on ISAPI and CGI Restrictions
      • From the Action menu click "Add" to add new restrictions

Specify as following :

 

ISAPI or CGI path<Web_Agent_Installation_Directory>\win32\bin\Web\FPS\Forgot.exe

Description : Forgot.exe

      • Click Ok

 

Edit Feature Permissions for the Handler Mappings Feature for FPS Virtual Directory

      • Open IIS Manager and navigate to the FPS virtual directory level.
      • In the Features View , double click Handler Mappings.
      • In the Actions pane, click Edit Feature Permissions.
      • In the Edit Feature Permissions dialog box, do the following:

        Specify as following :

Select Read

Select Scripts

Select Execute

 

      • Click Ok

 

Modify the default SmPortal.cfg file installed.

 

 

      • Edit the SmPortal.cfg file located at <Web_Agent_Installation_Directory>\win32\bin folder.

Specify as following :

MyServer.ip = <Your Policy Server IP address>

By default, FPS is configured with a 4x agent by name "FPS" with shared secret "secret"

Change password is configured with a 4x agent by name "SMCPW"" with shared secret "secret"

By logging into the Administrative UI create the matching 4x agent as below:

FPS Agent.png

SMCPW Agent.png

      • The final SmPortal.cfg should look like following :

SmPortal.cfg.png

Smportal2.png

      • Modify the Verify.asp (Verify.jsp) to store the actual questions corresponding the Question ID configured in user directory :
      • (Optional) Enable tracing for FPS and Change password services
      • Validate SmPortal.cfg configuration using the SmPortalVfy.exe tool located at<Web_Agent_Installation_Directory>\win32\bin folder. It should state the verification as successful as below :

SmportalVerify.png

 

TESTING & VERIFICATION:

 

1. Access FPS interface

    e.g. http://<server.domain.com>/FPS/forgot.exe

2. Provide Required Fields and optional fields as necessary and click Submit.

3. Once the user look up is successful using the provided user information, the user will be prompted to verify with Question and Answer

   

 

4. Upon confirmation of the question/answer, the user will finally be prompted to change his/her password

5. In the confirmation screen, the information related to the user is displayed as below:

 

 

          

 

                             

 

                                     

 

Sample policy server trace log with the FPS tracing turned on :

 

Sample FPS Audit log (FPS.log) :

 

Attachment:

APS.cfg.zip

 

Additional Information:

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Attachments

1559130501500000046649_sktwi1f5rjvs16we4.png get_app
1559130499625000046649_sktwi1f5rjvs16we3.png get_app
1559130497795000046649_sktwi1f5rjvs16we2.png get_app
1559130495819000046649_sktwi1f5rjvs16we1.png get_app
1559130493923000046649_sktwi1f5rjvs16we0.png get_app
1559130491989000046649_sktwi1f5rjvs16wdz.png get_app
1559130490115000046649_sktwi1f5rjvs16wdy.png get_app
1559130488279000046649_sktwi1f5rjvs16wdx.png get_app
1559130486497000046649_sktwi1f5rjvs16wdw.png get_app
1559130484771000046649_sktwi1f5rjvs16wdv.png get_app
1559130483002000046649_sktwi1f5rjvs16wdu.png get_app
1559130481266000046649_sktwi1f5rjvs16wdt.png get_app
1559130479432000046649_sktwi1f5rjvs16wds.png get_app
1559130477647000046649_sktwi1f5rjvs16wdr.png get_app
1559130475534000046649_sktwi1f5rjvs16wdq.png get_app
1559130473857000046649_sktwi1f5rjvs16wdp.png get_app
1559130471910000046649_sktwi1f5rjvs16wdo.png get_app